SharePoint Online: Remove “Everyone except external users” from All Sites
Requirement: Find and Remove the “Everyone except external users” group from All SharePoint Online Sites.
PowerShell to Find All sites where “Everyone except external users” is Added
Let’s understand the “Everyone except external users” group in SharePoint Online. This group includes all users in your organization but excludes external users or guests. It’s a broad group used for sharing content with a wide internal audience without manually adding individual users. “Everyone except external users” is a permission level in SharePoint Online that allows internal users access to content while restricting access for all external users.
How do you find sites where everyone except the external user group has permission? PowerShell! Before proceeding with this script, make sure your account has site collection Admin rights on all sites: How to Add your account as a site admin for all sites in the tenant?
$AdminCenterURL = "https://crescent-admin.sharepoint.com"
$CSVPath = "C:\Temp\EveryoneExceptGrp.csv"
#Connect to SharePoint Online Admin Center
Connect-PnPOnline -URL $AdminCenterURL -Interactive
#Get the Tenant ID
$TenantID = Get-PnPTenantId
$SearchGroupID = "spo-grid-all-users/$TenantID" #Everyone except external users
# Get all SharePoint Online sites
$AllSites = Get-PnPTenantSite | Where -Property Template -NotIn ("SRCHCEN#0", "REDIRECTSITE#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1")
$Result = @()
#Loop through each site collection
ForEach($Site in $AllSites)
{
Write-host -f Yellow "Processing site:" $Site.URL
#Connect to the Site
Connect-PnPOnline -URL $Site.URL -Interactive
#Get the Groups
$Groups = Get-PnPSiteGroup -Site $Site.Url | Where-Object { $_.Users -contains $SearchGroupID }
If($Groups)
{
Write-host -f Green "`tFound the Group under:" ($Groups.Title -join "; ")
$Result += [PSCustomObject][ordered]@{
SiteName = $Site.Title
URL = $Site.URL
Permissions = "Group(s): $($Groups.Title -join "; ")"
}
}
Else
{
#Check if the site (or its objects) contains any Direct permissions to "Everyone except external users"
$EEEUsers = Get-PnPUser | Where {$_.Title -eq "Everyone except external users"}
If($EEEUsers)
{
Write-host -f Green "`tFound the 'Everyone except external users' group with direct permissions!"
$Result += [PSCustomObject][ordered]@{
SiteName = $Site.Title
URL = $Site.URL
Permissions = "Direct Permissions"
}
}
}
}
$Result | Format-Table
#Export Results to CSV
$Result | Export-Csv -Path $CSVPath
This script scans all sites in your tenant for the “Everyone except external users” group and exports its findings to a CSV file.
Remove “Everyone except external users” from All Sites
Now, the next step is removing the “Everyone except external users” from All SharePoint Online Sites in the Microsoft 365 tenant. Please be cautious: This includes all the “Public” sites created – as SharePoint automatically adds this group to the site’s members group by default. You can switch the SharePoint site’s privacy from Public to Private to delete everyone except external users from the site.
How to remove the “Everyone except external users” from a SharePoint Online site?
There are various scenarios where an organization might want to remove the “Everyone except external users” group from a SharePoint site, E.g., for Security and Compliance reasons. Here is how to remove it from the site:
- Navigate to the Site Permissions Page
- Go to your SharePoint site.
- Click on the gear icon to open the settings.
- Select “Site Permissions.”
- Modify the Permissions
- In the “Permissions” tab, look for the “Everyone except external users” group. It may be inside any group, such as Members, Visitors, etc.
- Select the “Everyone except external users” group and then select “Delete Users from site collection” from the “Actions” menu.
- Confirm the removal to proceed.
This method is straightforward but can be time-consuming if you need to repeat the process across multiple sites. PowerShell is highly recommended, as it is a more efficient way to remove the group across multiple sites.
PowerShell to Remove Everyone except external users in SharePoint Online
The below script connects to SharePoint Online and removes the “Everyone except external users” from site groups of the specific SharePoint Online site. Set the $SiteURL accordingly. Before removing everyone except the external users group, review the permissions once again!
$SiteURL = "https://crescent.sharepoint.com/sites/HR"
#Connect to SharePoint Online Site
Connect-PnPOnline -URL $SiteURL -Interactive
#Get the Tenant ID
$TenantID = Get-PnPTenantId
$SearchGroupID = "spo-grid-all-users/$TenantID" #Everyone except external users
$EEEUsersID = "c:0-.f|rolemanager|$SearchGroupID"
#Check if any Site Group contains "Everyone except external users"
$Groups = Get-PnPSiteGroup -Site $SiteUrl | Where-Object { $_.Users -contains $SearchGroupID }
If($Groups)
{
Write-host -f Yellow -NoNewline "Found the Group under:" ($Groups.Title -join "; ")
#Remove from the Group
$Groups | ForEach-Object { Remove-PnPGroupMember -LoginName $EEEUsersID -Identity $_.Title }
Write-host -f Green "`tRemoved from the Group(s)!"
}
Similarly, for the “Everyone” group, you can use the group identifier: “c:0(.s|true”. Please note that the above script just removes Everyone except external users from the site groups only, but not the entire site collection. If you want to remove it from the site altogether, use:
$SiteURL = "https://crescent.sharepoint.com/sites/HR"
#Connect to SharePoint Online Site
Connect-PnPOnline -URL $SiteURL -Interactive
#Check if the site contains "Everyone except external users"
$EEEUsers = Get-PnPUser | Where {$_.Title -eq "Everyone except external users"}
If($EEEUsers)
{
Write-host -f Yellow -NoNewline "Found the 'Everyone except external users' in Site!"
#Remove user from the site
Remove-PnPUser -Identity "Everyone except external users" -Force -ErrorAction SilentlyContinue
Write-host -f Green "`tRemoved!"
}
Alright. How about removing Everyone except external users from all sites in the tenant?
$AdminCenterURL = "https://crescent-admin.sharepoint.com"
#Connect to SharePoint Online Admin Center
Connect-PnPOnline -URL $AdminCenterURL -Interactive
# Get all SharePoint Online sites
$AllSites = Get-PnPTenantSite | Where -Property Template -NotIn ("SRCHCEN#0", "REDIRECTSITE#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1")
#Loop through each site collection
ForEach($Site in $AllSites)
{
Write-host -f Magenta "Processing site:" $Site.URL
#Connect to the Site
Connect-PnPOnline -URL $Site.URL -Interactive
#Check if the site contains any permissions (Direct/Group Membershipo) to "Everyone except external users"
$EEEUsers = Get-PnPUser | Where {$_.Title -eq "Everyone except external users"}
If($EEEUsers)
{
Write-host -f Yellow -NoNewline "`tFound the 'Everyone except external users' group on the site! "
#Remove user from the site
Remove-PnPUser -Identity "Everyone except external users" -Force
Write-host -f Green "Removed!"
}
}
The above script checks if Everyone except external users is part of any site group or has any site permissions when it’s added directly to the site/list/library/folder or file. If so, the script removes the “Everyone except external users” from the entire site collection.
If you want to disable the Everyone except external users group from future use, You can do it with PowerShell: How to Disable the “Everyone” / “Everyone except external users” Groups in SharePoint Online?
Summary
In conclusion, removing the “Everyone except external users” group can be necessary for various scenarios, including compliance, security, and specific collaboration requirements. Whether you choose to remove this group manually or through PowerShell, it’s essential to proceed with caution and adhere to best practices. Regularly reviewing and adjusting permissions ensures that your SharePoint environment remains secure, compliant, and conducive to productive collaboration.
The ‘Everyone’ group includes all users who have access to your SharePoint environment. This group allows you to grant permissions to all internal users without having to specify each user individually.
You don’t need to add users to this group manually. All internal users are automatically included in it, provided they have a SharePoint license.
“Everyone except external users” is a permission group in SharePoint that includes all licensed users within your organization but excludes any external users, such as partners or customers, who have been given access to your SharePoint site.
To grant access to ‘Everyone’, you need to browse to the SharePoint site, Click on Settings and then site permission, and grant Read/edit permissions to the “Everyone” group. You can also navigate to the SharePoint list, library, and folder and add the ‘Everyone’ group to the desired permission level. Make sure to uncheck the “Send an email invitation” option to avoid sending an email to all users.
To enable the ‘Everyone’ group at the tenant level, execute the command Set-SPOTenant -ShowEveryoneClaim $true
after connecting to the SharePoint Tenant Admin through PowerShell.
To grant access using this group, go to the SharePoint site, click on “Site permissions” under “Site settings,” then click “Grant Permissions.” In the “Share” dialog box, type “Everyone except external users”, select the appropriate permission level, and click “Share.”
You can assign any of the available permission levels to this group, such as “Read,” “Contribute,” “Design,” or “Full Control,” depending on the level of access you want to grant to the internal users.
To remove “Everyone except external users” from a SharePoint Online site, follow these steps: Navigate to the Site, click on the gear icon to open the settings, select “Site Permissions”, and remove the group “Everyone except external users” from the site.
Wonderful script, sir.
I was wondering why i receive a “unauthorized permission” for every script when trying to get-pnpcmdlet anything from the retrieved sp sites.
I’m global admin, sharepoint admin. Pnp shell on azure ad is with all default permissions admin consented. Even when trying your script it gives me unauthorized permission on this line.
$EEEUsers = Get-PnPUser | Where {$_.Title -eq “Everyone except external users”}
Would you know why?
example:
connect-pnponline https://tenant-admin.sharepoint.com/ -Interactive
Connect-PnPOnline https://tenant.sharepoint.com/sites/1000391-Modelcalibration-com -Interactive
$EEEUsers = Get-PnPUser | Where {$_.Title -eq “Everyone except external users”}
Get-PnPUser: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
when its not this access is denied, is UNAUTHORIZED PERMISSION.
i’m lost about this.
Please add yourself as site collection administrator to all sites in the tenant!
Yep! So, I’ve been using a command like `set-pnptenantsite -Identity $SiteURL -Owners $AdminEmail` for this task. But my organization isn’t too thrilled about having us admins as site collection admins on all the sites so i need to instantly remove myself after performing the operation. Users get a bit uneasy when they see another user as the owner of their content. Right now, I’m trying to find a way to handle all these operations without needing to add myself as an owner/site admin and then quickly removing myself. I’m tinkering with the idea of using an app registration for authentication to see if that solves the issue. 😄
you know a way?
Agreed! You can remove site collection admin from all OneDrive sites, once you are done with it! App Ids also a good idea!